Collective Defense

What it is and how it works

Collective defense is a proactive, collaborative approach to cybersecurity that involves organizations working together within and across sectors to defend against targeted cyber threats. By sharing correlated threat behaviors across the ecosystem, participating organizations can mutually aid in the detection, remediation, and mitigation of cyber threats to individual enterprises, business ecosystems, industry sectors, states, and nations.

Collective defense to cyber attacks

Evolution of Collective Defense

The notion of collective defense is nothing new. From a geopolitical standpoint, NATO has upheld the principles of collective defense for decades through its long-standing military alliance. As NATO famously stated in article 5 of its founding treaty: an attack against one member is considered an attack against all members.

The same principle applies in this new approach to cybersecurity, where organizations face constant threat of cyber attack from nation states, hackers, and criminals. These threat actors are known to work together to share techniques, forming an effective “collective offense” to infiltrate organizations.

To combat this growing cyber threat, companies are increasingly adopting a collective defense strategy to actively share cyber threat intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, collaborative organizations can more effectively spot malicious activity and greatly reduce attacker dwell time to mitigate threats before damage occurs.

Enterprises participating in a collective defense benefit from the situational context and any higher-order analysis at the aggregate level that helps identify unknown cyber threats targeting their organization, business ecosystem, or region. With collective defense, they can:

  • 1. Increase visibility into threat landscape

    • By shifting cyber defense from reacting to attacks to proactively defending against threats
    • By improving the organization’s confidence and security readiness to defend what is coming around the corner.
  • 2. Reduce impact of an attack

    • By increasing the ability to prioritize detection of high-risk threats
    • By improving visibility, detection time, and speed of remediation
  • 3. Improve effectiveness of cybersecurity investments

    • By maximizing existing tools and investments and their ability to close security gaps
    • By improving security outcomes through the sharing of knowledge and insights with subject matter experts across peers across a business ecosystem, industry sector, or region.

“As commander for US Cyber Command, we had a responsibility to defend the nation. One of the issues I saw was that we couldn’t see cyber attacks against our nation. As a consequence the government’s response was always incident response, which means after the attack. We wanted to come up with a way to help the government see the attacks and companies stop the attacks before something bad happened – not after.”

General (Ret.) Keith Alexander, Founder and Co-CEO of IronNet Cybersecurity, and former Director of the U.S. National Security Agency and Founding Commander of the U.S. Cyber Command

How Collective Defense Works

The concept of collective defense covers the three critical areas of a holistic cybersecurity strategy for protecting people, process, and technology. Network-speed detection and rapid response reduce attacker dwell time but, equally as important, knowledge sharing is critical so that everyone can defend, at the same time.

IronNet collective defense group chart


Today’s attackers can easily bypass cyber defenses using a number of basic techniques — from changing their command and control infrastructure, modifying malware toolkits, or leveraging non-malware based methods such as stolen credentials to hide their activity from signature-based and simple anomaly or outlier-based behavioral analysis systems. Additionally, the sheer scale of devices and network communications in a modern enterprise — coupled with the need to work with a multitude of partners, suppliers, public cloud providers, and other third-party entities — increases the difficulty of identifying threats in a silo.

1. Increased visibility across the threat landscape

It is difficult to defend threats that your security team cannot see. While enterprises can and should fortify their cyber defenses, improving the ability to share threat insights with industry peers, business ecosystems, or other groups is critical to increasing the efficacy of all participants. Much like an air traffic control system, where individual enterprises are akin to individual radar towers, the ability to share at machine speed is critical for developing a real-time cyber map of the threat landscape that enables all participants to see where threats are coming from and, most importantly, optimize their cyber defenses to actual threats targeting their enterprise.

3. Correlated insights in situational context

Technologies such as advanced analytics, AI, and machine learning can be used to identify anomalous behavior and generate alerts in real time. However, it is often difficult at an individual enterprise level to distinguish malicious from merely anomalous behaviors without additional context from a broader community of peers. Collective defense delivers group-level threat detection by aggregating pre-triaged anomalies at the individual enterprises and then applying high-order analysis and correlation that help identify threat campaigns targeting the collective, broader command-and-control infrastructure. Collective defense facilitates the distribution of peer insights on the ways individual companies have triaged similar anomalies in their environments.

2. Group-level threat detection and peer correlation

To identify threats early enough to make a difference, those engaged in collective defense must deploy a more proactive and behavioral-based detection capability to analyze network anomalies and to share those insights at machine speed to counter the evasive techniques used by many threat actors today.


What makes collective defense such a powerful tool is the cyber threat sharing platform that allows participating organizations to become aware of and thwart cyber attacks targeting similar organizations. By sharing cyber anomalies in real time across a community of peers and within situational context, companies can identify attackers earlier in the attack cycle (that is, the cyber kill chain) when many of their methods fall below the threshold of detection. In other words, behavioral analytics can detect “unknown unknowns,” making this new approach to cybersecurity a stronger defense approach than signature-based analytics often used in NTA solutions.

  • 1. Real-time, machine-speed sharing of detected anomalies

    Collective defense systems are based on two types of data sharing: automatic and active. Automatic sharing is how the majority of information feeds into the collective defense system. With automatic sharing, all threat activity on a company’s network is anonymized and securely shared within the collective defense ecosystem. By automatically sharing behaviors earlier in the kill chain and to all members in the ecosystem, collective defense systems reduce adversarial dwell time and impact.

  • 2. Sharing human insights across supply-chain, ecosystems, and industries.

    Active data sharing goes a step further by allowing organizations to voluntarily add notes to events entering the collective defense system. Just as the navigation app Waze allows drivers to inform other drivers of accidents, speed traps, and other road obstacles, active and real-time sharing in collective defense allows companies to inform the community of any insight gathered on the threat.

  • 3. Sharing that complements what Information Security and Analysis (ISAC) groups and Threat Intelligence Platforms (TIPs) do today.

    While ISACs and TIPs provide a critical and essential role of sharing important Indicators of Compromise (IOCs), these usually focus primarily on signature-based indicators, and knowledge sharing happens only after a long period of investigation, triage, and sometimes legal review by the affected enterprise. As such, threats can last weeks, if not months, before they are shared.

    Whether automatic or active, suspicious activity fed into the collective defense system allows technology to be applied by the host system to search for correlations in all threat activities. This ability to identify and correlate patterns of behaviors in seemingly unrelated anomalies enables the system to identify threat groups that use similar strategies to target enterprises.

  • 4. Optional sharing with government

    Collective defense improves the visibility and coordination between private sector enterprises with their public sector counterparts. This is especially important in sectors such as energy, finance, healthcare, defense, and critical infrastructure industries. By providing an anonymized view to the government from enterprises that have opted-in to collective defense threat sharing, governments will get additional insights to nation-state activity or advanced cyber criminal organizations activity that they may be tracking so that they may be able to take action or to provide early warnings to companies.


The final step is taking action against threats. While collective defense systems do not actively respond to threats facing individual organizations — by learning about possible threats earlier in the cyber kill chain —  enterprises, industries, and nations can act faster using their own tools and tactics. The contextual data and added threat intelligence from the collective defense members give response teams a head start on mitigation.

1. Individual-level response

Whenever a threat is identified in the collective defense system, member organizations receive a malicious alert notification. This approach spurs evasive action such as creating firewall rules or using SOAR systems to block the malicious traffic. Work is typically done by in-house SOC teams or third-party cybersecurity service providers.

2. Collective-level response

The distribution of threat insights of malicious activity detected in a member to all enterprises in the collective defense community enables all to take defensive actions. Much like in the physical world of how an attack on one NATO member results in a response by all members, responding together in cyber at the collective level degrades the ability of a threat actor to target members one-by-one using the same Tactics, Techniques, and Procedures (TTPs). Taken at scale, this approach can slow down the speed of attacks and effectiveness of threat campaigns by forcing threat actors to continually create new TTP playbooks instead of reusing existing TTPs with minor modifications to target multitudes of individual enterprises.

3. National-level response

Providing an anonymous, opt-in view to governments allows them to see threats targeting critical infrastructure, assess the risk, and, in turn, take action using all powers at their disposal. This adds an additional level defense at the national level by allowing law enforcement takedown of malicious infrastructure or to leverage cyber, political, economic, diplomatic, or other elements of power at their disposal to stop threat actors from targeting enterprises within the country.

The Case for Collective Defense


Collective Offense Calls for Collective Defense

To test the appetite for cyber collaboration among senior cybersecurity executives, independent research firm Vanson Bourne interviewed 200 U.S. security IT decision makers from multiple industries. Findings show strong support for collective defense.

Among the study’s key findings

Current systems are inadequate against today’s threats


of respondents are most likely to rate their organization’s cybersecurity technology, systems, and tools as advanced.

1 in 3

Nonetheless, respondents suffered an average of one cybersecurity incident every three months.


of respondents say that the severity was such that C-level/board meetings were required afterwards.

Cybersecurity leaders have an appetite for collective defense


of respondents say their organization would be willing to increase the level of threat sharing with industry peers if it demonstrably improved their ability to detect threats.


of respondents say they would increase their level of threat sharing with government if it enabled the government to use political, economic, cyber or other national-level capabilities to deter cyber attacks.

The survey concludes that in the face of adversaries who are increasingly collaborating for a collective offense, organizations must mature their collective defense to meet these powerful and ever-changing threats.


The definitive collective defense guide

A steady increase in collaboration and capabilities among threat actors has placed companies in a position where they can no longer work alone on cyber defense.

In this ebook, you will learn:

  • The meaning of collective defense in cybersecurity, and the benefits of behavioral detection at scale across an industry sector.
  • How collective defense is revolutionizing the way companies of all sizes are approaching cyber defense.
  • What a proactive approach to cyber defense means for your organization.

Collective Defense Case Study: Con Edison

11 million New Yorkers rely on Con Edison for power, making cybersecurity a top enterprise risk. But despite huge investments in technology, Con Edison remained concerned over its ability to analyze network traffic and defend against known threats to outside organizations. Investing in collective defense with IronNet’s IronDome solution gave Con Edison peace of mind.

“The value proposition associated with the Dome is not just about Con Edison. It’s about the entire sector — and other sectors — that are at risk from a cyberattack. Understanding what’s going on in those networks compared to ours makes us collectively stronger and better able to mitigate those risks.”

Manny Cancel, former VP and CIO of Con Edison

Who’s Using Collective Defense?

Most industries working to defend against fast-evolving cyber threats recognize the value in collective defense. By sharing cyber threat intelligence with each other in near real-time, organizations are able to shift from a reactive posture to a proactive one.

IronNet collective defense for energy and utilities sectors isometric graphic of laptop

Energy and utilities

Energy grids are a top target for threat actors. That’s why major utility companies across the U.S. are banding together to defend against cyber attacks with a collective defense strategy that safeguards infrastructure, power availability, resiliency, and public safety. Today, five major utilities share cyber events, a collective defense shield spanning 25 states and nearly 35 million customers.

IronNet collective defense for financial sector isometric graphic of laptop

Financial services

Collective defense empowers financial enterprises to strengthen consumer and B2B trust by lowering risk across the digital ecosystem. The world’s biggest financial services companies rely on collective defense to protect their customers, assets, and reputation. These include a top global financial services company, the world’s largest custodian and asset servicing bank, and the biggest hedge fund on the planet.

IronNet collective defense for public sector isometric graphic of laptop

Public sector

Collective defense has proven successful in the public sector. That’s why governments and leading public organizations across Asia Pacific and the Middle East are working together to form collective defense strategies at the industry and national levels. It also involves working collaboratively across the public-private sector, including with government agencies, to counter nation-state and asymmetric adversaries.

IronNet collective defense for healthcare isometric graphic of laptop


Healthcare data breaches are all too common these days, an unfortunate side effect of having billions of connected medical devices around the world. Collective defense offers strong protection against increasingly sophisticated hackers targeting IoT health data. Collective defense with advanced threat protection guards against critical uptime while fortifying patient, intellectual property, and data privacy.

IronNet collective defense for defense industry isometric graphic of laptop

Defense industry

Collective defense empowers Defense Industrial Base (DIB) enterprises to secure networks and defend complex supply chains from advanced attacks.

Get Collective Defense
with IronDome

IronDome is the cybersecurity industry’s first collective defense solution. IronDome takes alerts and cyber anomalies generated from IronDefense – IronNet’s scalable network traffic analysis platform – and shares them quickly, safely, and anonymously across IronDome members. These events are then correlated across industry peers to identify sector-wide adversarial campaigns that would be challenging to detect alone. Notification of these correlations is provided in real-time to IronDome participants, giving them faster visibility into potential threat campaigns targeting their industry.

IronDome collective defense with behavior-based analytics

Who benefits from IronDome Collective Defense?

With IronDome, companies of all sizes can implement collective defense. Whether you’re a Fortune 500 enterprise, a midsize company or a small business, IronDome can be tailored to provide a world-class threat detection capability for any budget.